HAProxy Enterprise Offers SAML-based Single Sign-On

HAProxy Enterprise handles SAML single sign-on for your applications and integrates with identity providers like Azure Active Directory.

Single sign-on (SSO) is such a familiar convenience for companies that it’s easy to forget how powerful it is. When employees arrive at work, they can log in just once to access all of the applications that they will need during their workday, without needing to log in again, including to access applications running in the cloud or as SaaS services. There are security benefits, such as having fewer logins to protect, and it’s easier for IT to have one place where they can manage user profiles. Today, many companies provide a range of applications to their employees, with some running on-premises, others in the cloud, and others as third-party SaaS services. How does SSO work for a modern workplace like this? A popular solution, one that’s been around for 15 years, is called Security Assertion Markup Language (SAML), which is a protocol that lets you provide SSO using an Internet-based service that’s accessible to applications wherever they run.

Meet SAML

SAML prescribes two roles: an Identity Provider (IdP) and a Service Provider (SP). An IdP displays the login page, authenticates users, and stores user attributes like name, address, phone, and department; It can run inside your network or in the cloud so that it’s accessible from anywhere, and it provides unified user management for IT staff.

A Service Provider (SP) is one of your applications utilizing SSO. An SP redirects a user to the IdP for login; It trusts the IdP and the IdP knows which SPs will be contacting it. There are several IdPs you can choose from, including the on-premises Active Directory Federation Services (ADFS) and cloud-based services like Google G Suite, Auth0, Okta, Ping, and Azure Active Directory. Certainly, there are newcomers to the SSO space, such as the OpenID Connect protocol, which is better suited for mobile applications, but SAML enjoys long-standing support within many products.

Recommended Reading: Read Vittorio Bertocci’s book Modern Authentication with Azure Active Directory for Web Applications if you’re interested in a rich history of SAML and how it works.

While the IdP is implemented for you, you typically need to implement the SP and the client-side SAML logic yourself. The SAML protocol defines message types that both sides need to understand, with a standard set of communication flows. This is where HAProxy Enterprise comes into the picture. When you use HAProxy Enterprise as a high-performance load balancer in front of your applications, you can offload that SAML client logic to it, converting any web-based app into a compatible SP. HAProxy Enterprise handles redirecting your employees to the IdP, validating the responses, extracting identity claims, and allowing or denying access to your applications.

HAProxy Enterprise SAML SSO

Read the HAProxy SAML Quick Start guide to learn how to connect your HAProxy load balancer with Azure Active Directory for SSO. You’ll find all of the available options outlined there, but to understand how it works, let’s take a quick tour.

You can think of the Azure Active Directory Identity Provider as if it were an Active Directory domain controller in the cloud. Since it runs in the cloud, it’s accessible to your applications wherever they live—inside or outside of your corporate network. It just needs to know which of your applications will rely on it so that it knows where to send its responses. The IdP takes care of showing a login page to users.

HAProxy Enterprise handles SSO from the client-side so that your applications don’t have to. In fact, your applications don’t even need direct access to the Internet. Only HAProxy needs that. It communicates with the IdP using the SAML protocol, and allows or denies requests depending on whether the user has logged in successfully. Once a user has logged in, HAProxy stores a cookie in their browser so that they aren’t redirected back to the IdP on subsequent requests, which saves a roundtrip. All of the SSO logic is handled by an external module that’s connected to HAProxy through the unique Stream Processing Offload Protocol, which means that it can be installed only on the load balancers where you need it.

From a user’s perspective, accessing one of your applications with SSO looks like this:

saml login flow

SAML login flow

  1. I, a user, try to access an application that I have not yet logged into.

  2. HAProxy receives the request first and determines that I am not logged in.

  3. HAProxy redirects me to a sign-in page hosted by the IdP, which, in the case of Azure AD, is a page where I can sign in with my company / Microsoft account.

  4. After I’ve logged in, I am redirected back to the application. HAProxy sees that my request now includes a SAML response that confirms my identity and that has been digitally signed by the IdP, which proves that HAProxy can trust it.

  5. HAProxy sets a cookie in my browser so that it remembers that I am logged in, then relays my request to the backend application. I am now authenticated and can use the application freely.

Logging out is just as seamless:

sso diagram

SAML logout flow

  1. I, a user, log out of my current application using a known logout URL.

  2. HAProxy receives the request first and determines that I am logged in.

  3. HAProxy forwards me to the IdP where I see a few screens telling me that I am being logged out.

  4. The IdP logs me out at the global level and then sends logout requests to each registered app so that they can remove their respective session cookies and do any other cleanup.

You register each application in Azure AD’s Enterprise applications tab. In return, you get a unique ID and some other information that you set in HAProxy Enterprise. You also store a public certificate that HAProxy uses to validate Azure’s digital signature on the messages, which safeguards the communication from tampering and proves that the claims can be trusted. HAProxy will parse out the user’s identity information when it receives it and can pass it on to the backend application via HTTP headers, in case you want to customize the user experience using that information or apply some additional security measures or logging. The attributes might include the user’s name, address, phone number, etc. For example, here’s a claim that holds the user’s surname:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname: Ramirez

You can add new, custom claims in Azure AD if you like, such as one that lists the user’s home office location or their security access level. All user management happens using Azure AD, so you won’t have to add any specific user permissions in HAProxy Enterprise. Meanwhile, HAProxy Enterprise removes the complexity of negotiating SAML on the client side. The backend applications don’t need to concern themselves with authentication at all, greatly simplifying your suite of services.

HAProxy SAML: Conclusion

SAML solves SSO by moving user management and authentication to third-party services like Azure Active Directory. HAProxy Enterprise makes your local applications compatible instantly, simplifying administration and cutting down on development time. To learn more about HAProxy Enterprise and get started with SSO, contact us today or sign up for a free trial!

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.